A zero-day attack or zero-day exploit leverages an unknown vulnerability in either hardware or software. It's called a zero-day because at the point at which the exploit is discovered, developers have had "zero days" to implement a fix for the underlying vulnerability.
Zero-day exploits are feared in cybersecurity circles because the exploit is used against an unknown vulnerability in your code, and you almost never realize you've been compromised or exploited until the damage has already been done.
In this article, we'll take a deeper look at zero-day exploits and whether it is possible to avoid being the victim of one.
How Do Zero-Day Exploits Work?
It's an unfortunate truth, but developers inadvertently introduce zero-day vulnerabilities every day. The typical progression of a zero-day exploit looks like this:
A software developer creates some software, possibly a web application, and unknowingly leaves a vulnerability open.
A threat actor finds the vulnerability in the web application.
The threat actor develops exploit code to exploit the vulnerability.
In most cases, the exploit is either released or sold to other threat actors, though occasionally threat actors might hold on to the exploit themselves to use at a more opportune time.
In rare cases, nation-state threat actors might keep an exploit to themself with the intent of using it when it would be most beneficial from a strategic timing perspective, also known as back-door.
Only when a vulnerability is being actively exploited in the wild do organizations start noticing something amiss. Zero-day attacks are usually discovered when a company's identity data or private documents show up somewhere online.
It's only once the exploit has been discovered that developers have a chance to put mitigations in place, usually in the form of a software patch to fix the vulnerability in their software.
These zero-day vulnerabilities aren’t necessarily only introduced to your own applications by your own developers. Modern applications often use third-party libraries in their code, and the cybersecurity industry is seeing a rise in supply-chain attacks. This occurs when a threat actor manages to gain control of a popular third-party library, possibly one that's already used by thousands of web applications. Once the attacker gains control of the package’s code (or management thereof), they can introduce malicious code, such as adding a backdoor or crypto-mining code to the package.
Thousands of web applications might even automatically update to the latest version of the library, thereby installing a malicious version of a previously trusted library without the development teams’ knowledge.
Zero-day exploits can be very damaging to an organization, both from a financial and reputational perspective. Not only are they difficult to detect, but once detected, your resources need to be diverted to fix the vulnerabilities as soon as possible to mitigate the damage being done. This has created an ever-growing need for technologies that can preemptively detect and prevent zero-day exploits.
Famous Zero-Day Exploits and Attacks Using Them
While most zero-day exploits are discovered and fixed without much fanfare, every now and then an exploit is utilized on such a massive scale that the world takes notice.
Log4j is open source logging software that was developed by the Apache Software Foundation. Thanks to its ease of use, cross-platform capabilities, and low cost, many developers around the world implemented Log4j as their logging library of choice.
The exploit allowed attackers to perform a remote code execution (RCE) attack, which allows the attackers to run their own code on the target machine. This is a very dangerous type of attack, as it can give attackers direct access to your data center or, depending on the layout of your network, even the rest of your network.
Because of the widespread use of the Log4j library, there were thousands of organizations who were vulnerable to these types of attacks. In a blog post published by Check Point, it was estimated that more than four million attempts to exploit the vulnerability in the ten days after it was discovered were prevented. Attempted attacks were made on forty-eight percent of corporate networks in the world.
Atlassian is a company that develops popular productivity tools, such as Jira and Trello, among others. So you can imagine that the world took notice when in early June 2022, Atlassian disclosed a vulnerability that was affecting their Confluence Server and Confluence Data Center products. By the time the vulnerability was disclosed, there was evidence that it was already being exploited in the wild.
What made this vulnerability particularly dangerous was that it enabled attackers to perform remote code execution (RCE) attacks.
Akamai, a content delivery network provider, started tracking exploit attempts against this vulnerability almost immediately after Atlassian disclosed it, and found that the attacks peaked at about a hundred thousand malicious requests per day at a stage. IT teams from around the world scrambled to get patches in place.
CISA, the US-based agency responsible for the protection of other US agencies' digital infrastructure and assets, posted this vulnerability to their Known Exploited Vulnerabilities Catalog, which triggered a response in all the other agencies to act quickly to protect themselves by blocking inbound internet traffic to their Confluence servers until they were patched.
How Can You Identify a Zero-Day Exploit?
The first step to finding a zero-day exploit is almost always detection. There are a number of methods you can employ that might help you to identify when a zero-day exploit is being used.
While you might not be able to detect the zero-day exploit itself, you may be able to identify a signature or file hash from a known piece of malware that was deployed via the exploit. This could help you to work your way backwards to identify the route through which the threat actor compromised your network.
User and Entity Behavior Analytics
Some organizations use user and entity behavior analytics (UEBA) to build a baseline picture of what users and devices do on a normal day. UEBA software can help to identify anomalous activities that don't fit within the usual behavioral patterns. These anomalies could point to a zero-day exploit that was used to compromise a device or a software package.
Can You Prevent Zero-Day Exploits?
There are some common approaches that attempt to minimize zero-day exploits.
If your organization has a robust vulnerability management program, you can largely prevent attacks that are targeted against older pieces of unpatched software or hardware.
While vulnerability management itself won’t prevent zero-day attacks, it will give you a good idea of what software in your organization is most vulnerable and help you to prioritize your patching strategy.
Keep Your Software Updated
Staying on top of software updates helps keep you protected against vulnerabilities that were found and then patched by the developers. This method could also help to minimize your attack surface, as regular software updates could inadvertently fix zero-day vulnerabilities that had yet to be discovered or exploited.
Updating software doesn’t mean that all the zero-day vulnerabilities are fixed, though, especially if you have a large application consisting of many parts. It’s quite probable that there are still vulnerabilities left in your code.
Zero-Day Bug Bounty Programs
Many companies offer a bounty to hackers, security researchers, and reverse engineers who find zero-day vulnerabilities in their software. The idea is to incentivize the security community to find zero-day vulnerabilities before threat actors can, which allows companies to avoid the financial and reputational damage of having a vulnerability discovered by malicious actors.
One of the largest public bug bounty programs is run by HackerOne. Many large companies, including Apple and Microsoft, use this platform to post bounties for any vulnerabilities found in their applications.
Limiting Unnecessary Applications
Many companies that issue laptops and desktops to their employees try to maintain an application whitelist that only allows pre-approved software applications to be installed on the device. In most cases, enforcing this list is usually done by means of an application or management tool. Additionally, user accounts aren't given local administrator access on their devices, preventing software from gaining access to system functions.
Giving your employees free rein to install any application they want could allow an attacker to trick a user into downloading and installing malware disguised as a useful software utility. Said malware could then easily make use of a zero-day exploit to further compromise your company's network.
A good cybersecurity education program is key to teaching your employees the basics of cybersecurity, such as awareness of phishing and social engineering, the importance of device security, and the dangers of password sharing.
Education will certainly help to minimize the number of times your organization gets exposed by an employee clicking a phishing link, but as with the previous methods, it can't entirely mitigate the risk of zero-day exploits.
Input Validation and Sanitization
There's an adage in cybersecurity circles that if an application allows user input, it can be hacked. While it sounds extreme, it's not without merit. User input has always been an avenue for hackers to find vulnerabilities in your application’s input logic, and can lead to common attacks like SQL injections.
The best practice is to never trust user input. You have to design and write your application’s input logic in such a way that it will validate that data is being written to the correct fields, and also sanitize the inputs of any unnecessary strings or characters.
Many different attacks can be avoided just by following some basic principles of input validation and sanitization.
Use a Web Application Firewall
A web application firewall, or WAF, can significantly reduce the number of attacks against your public-facing web applications. A WAF is either a hardware or software component that sits in front of your web application and monitors all the connections that are made to the application. Connections that are deemed to be risky—or outright malicious—can simply be dropped.
Because a WAF scrutinizes all connections to your web application before they can connect, it's able to stop many common types of zero-day exploits before they even reach your application.
A WAF functions as a first line of defense for your web applications. Even if your web application contains zero-day vulnerabilities, it's possible that a well-managed WAF can prevent your application from being exploited by dropping malicious requests.
Preemptive Zero-Day Exploits Prevention
All of the methods above contribute to preventing zero-day exploits. But what about the zero-day exploits that can't be detected or prevented by the traditional methods?
open-appsec offers a new method for preventing zero-day exploits. open-appsec is a WAF, but in addition to the standard features and protections you expect from an advanced WAF, it uses a machine learning-based security model to detect and prevent zero-day exploits before they are known.
open-appsec uses contextual analysis to learn how users normally interact with your web application. It then uses this information to automatically detect requests that fall outside of normal operations, and sends those requests for further analysis to decide whether the request is malicious or not.
open-appsec's Contextual Machine Learning Engine is powered by two different machine learning models:
A supervised model that was trained offline and fed with millions of requests, both malicious and benign.
An unsupervised model that is being built in real time in the protected environment. This model uses traffic patterns specific to this environment.
Every request to your application goes through three phases:
First, the payload is decoded. All HTTP requests are parsed, JSON and XML sections are extracted, and any IP-level access control is applied.
Second, a multitude of variables are fed to the machine learning engine. These variables, which are either directly extracted from the HTTP request or decoded from different parts of the payload, include attack indicators, IP addresses, user agents, fingerprints, and many other considerations. The supervised model of the machine learning engine uses these variables to compare the request with many common attack patterns found across the globe.
If the request is identified as a valid and legitimate request, the request is allowed, and forwarded to your application. If, however, the request is considered suspicious or high risk, it then gets evaluated by the unsupervised model, which was trained in your specific environment. This model uses information such as the URL and the users involved to create a final confidence score that determines whether the request should be allowed or blocked.
This machine learning based approach sets open-appsec apart from other WAF solutions, enabling it to offer first-class security with minimal configuration or maintenance, and no false positives.
Application security is not easy and involves many steps. You have to design your application with security in mind, and continuously implement processes and procedures to prevent vulnerabilities from making their way into your code. Even the most cautious teams will sometimes make mistakes, though, and the use of third-party code in libraries and APIs increases the chances that you'll have vulnerabilities somewhere in your application.
To keep up with the ever-changing threat landscape, it's imperative that security strategies evolve to include new tools with new ideas. open-appsec is a fully automated web application and API security solution, powered by a patented machine learning engine that continuously analyzes and learns from HTTP requests made to your website or API.
It's every security professional's responsibility to implement an effective security solution. Don't just settle for a check mark in your next audit.